DHCP S NOOPING www.takistmr.

com
DHCP Snooping DHCP Snooping Case
Cisco Catalyst switches can use the DHCP snooping feature to help User Switch DHCP Server
mitigate this type of attack where an attacker could bring up a rogue
DHCP server on a machine in the same subnet as that same client
PCs and the rogue server could send a carefully crafted DHCP reply
with its own IP address substituted as the default gateway.
When DHCP snooping is enabled, switch ports are categorized as
trusted or untrusted. Legitimate DHCP servers can be found on
trusted ports, whereas all other hosts sit behind untrusted ports.
A switch intercepts all DHCP requests coming from untrusted ports Malicious User operating a rogue DHCP
before flooding them throughout the VLAN. Any DHCP replies Server acting as Man-In-The-Middle for the
coming from an untrusted port are discarded because they must network gateway
have come from a rogue DHCP server. In addition, the offending
switch port automatically is shut down in the errdisable state. DHCP Snooping Status Verification
DHCP snooping also keeps track of the completed DHCP bindings ! You can use the binding keyword to
as clients receive legitimate replies. This database contains the display all the known DHCP bindings that
client MAC address, IP address offered, lease time, and so on. have been overheard. The switch maintains
these in its own database. Otherwise, only
By default, all switch ports are assumed to be untrusted so that the switch ports that are trusted or that
DHCP replies are not expected or permitted. Only trusted ports are have rate limiting applied are listed. All
allowed to send DHCP replies. Therefore, you should identify only other ports are considered to be untrusted
the ports where known, trusted DHCP servers are located. with an unlimited DHCP request rate.
SW# show ip dhcp snooping [binding]
For untrusted ports, an unlimited rate of DHCP requests is accepted.
The rate can be 1 to 2048 DHCP packets per second.
You also can configure the switch to use DHCP option-82, the
DHCP Relay Agent Information option, which is described in RFCs
3046 and 6607. When a DHCP request is intercepted on an
untrusted port, the switch adds its own MAC address and the switch
port identifier into the option-82 field of the request. The request
then is forwarded normally so that it can reach a trusted DHCP
server. Adding option-82 provides more information about the actual
client that generated the DHCP request. In addition, the DHCP reply
(if any) echoes back the option-82 information. The switch intercepts
the reply and compares the option-82 data to confirm that the
request came from a valid port on itself. This feature is enabled by
default.

Configuration
! First, enable it globally on a switch
SW(config)# ip dhcp snooping

! Next identify the VLANs where DHCP snooping should be

implemented. You can give a single VLAN number as vlan-id or
a range of VLAN numbers by giving the start and end VLAN IDs
of the range
SW(config)# ip dhcp snooping vlan vlan-id [vlan-id]

! Identify only the ports where known, trusted DHCP servers

are located
SW(config-if)# ip dhcp snooping trust

! Rate limit DHCP traffic on an untrusted port

SW(config-if)# ip dhcp snooping limit rate rate [1-2048]

! Enable or disable option-82 globally

SW(config)# [no] ip dhcp snooping information option

by Theodorakos Dimitrios v1.0